constraint-based static analysis of programs
TRANSCRIPT
![Page 1: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/1.jpg)
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 1/66
Constraint-Based Static Analysis ofPrograms
Joint work withMichael Colon, Sriram Sankaranarayanan, Aaron Bradley
and Zohar Manna
Henny SipmaStanford University
Master Class Seminar at Washington University at St Louis, 2006
![Page 2: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/2.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 2/66
Introduction
![Page 3: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/3.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 3/66
Motivation
Objective: To extract information about the program behaviorfrom the program text■ invariants■ termination■ temporal properties■ . . .
![Page 4: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/4.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 4/66
Trivial Example
integer i, j where i = 2 ∧ j = 0
ℓ0 : while (...) do
if (...) then
i := i + 4
else
(i, j) := (i + 2, j + 1)
i ≥ 2 , j ≥ 0 , and i − 2 j ≥ 2 are invariants.
Objective: To obtain such invariants automatically
![Page 5: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/5.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 5/66
Buffer Overflow Analysis
1: int *a = malloc( sizeof(int) * n);
2: int i,j,k;
3: for(i=0; i<n; ++i)
4: for(j=0;2*j<=i;++j)
5: if (a[i] <= a[2*j+1])
6: .....
7: ...
0 ≤ i < n?
0 ≤ 2 j + 1 < n?
Check bounds for each array access.
![Page 6: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/6.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 6/66
Division by Zero
1: double a,b,c
2: ....
3: while ( b > 0 || c >= 0 ) {
4: a = a + b/(c+b-1);
5: ....
6: }
c + b − 1 > 0
Prove every divisor non-zero.
![Page 7: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/7.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 7/66
Deadlock Freedom
x1 x2 x3
x5
x4
x6
x7
x8
x9
x11
x14
x10
x15
x12
x13
x17
x18
x16
x19
x20
x21
x22
x23
x24
x25
Is this Petri net deadlock free? [Zhou et al. : 1992]
![Page 8: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/8.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 8/66
Preliminaries: Transition Systems
integer i, j where i = 2 ∧ j = 0
l0 : while true do
i := i + 4
or
(i, j) := (i + 2, j + 1)
Transition system:⟨
L : {ℓ0}︸ ︷︷ ︸
locations
, V :{i, j}
︸ ︷︷ ︸
variables
, T : {τ1, τ2}︸ ︷︷ ︸
transitions
, Θ : (i = 2 ∧ j = 0)︸ ︷︷ ︸
initial condition
, L0 : l0︸︷︷︸
initial location
⟩
withτ1 =
⟨l0, l0, ρτ1
: (i′ = i + 4 ∧ j′ = j)⟩
τ2 =
⟨
l0, l0, ρτ2: (i′ = i + 2 ∧ j′ = j + 1)︸ ︷︷ ︸
transition relation
⟩
![Page 9: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/9.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 9/66
Transition System: Execution
Computation: Infinite sequence of states 〈li, xi〉
〈ℓ0, x0〉τ1−→ 〈ℓ1, x1〉
τ2−→ 〈ℓ2, x2〉 → · · ·
such that■ Initial Condition satisfied
ℓ0 = L0 ∧ Θ(x0)
■ Consecutive states 〈ℓi, xi〉 → 〈ℓi+1, xi+1〉 satisfy sometransition
τk :⟨ℓi, ℓi+1, ρτk
(xi, xi+1)⟩
![Page 10: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/10.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 10/66
Static Analysis: Traditional Approach
Symbolic forward simulation to obtain an overapproximation ofthe reachable state space (i.e. invariants)
ΘF1
F2
Breachable
states
![Page 11: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/11.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 11/66
Forward Propagation
F0 : Θ
F1 : F0 ∨(∨
τ∈T postτ(F0))
F2 : F1 ∨(∨
τ∈T postτ(F1))
...
untilFi+1 → Fi
withpostτ(ϕ) : ∃V0 · (ϕ(V0) ∧ ρτ(V0,V))
![Page 12: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/12.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 12/66
Problems
1. May not converge in finite timeExample:
integer i where i = 0
while true do x := x + 1
F0 : i = 0
F1 : i = 0 ∨ i = 1
F2 : i = 1 ∨ i = 1 ∨ i = 2...
We never reach: x ≥ 0
2. May not be able to detect convergence
Fn+1 → Fn
![Page 13: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/13.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 13/66
Common Solution
Abstract Interpretation [Cousot&Cousot,77]: perform thesymbolic simulation in an abstract domain:
Domain converges? Reference
Linear equalities yes Karr’76Müller-Olm,Seidl,’04Gulwani+Necula’03
Linear inequalities no Cousot,Halbwachs’79Intervals no Cousot,Cousot’76Octagons no Mine’01Octahedra no Clarisó,Cortadella’04TCM no SSM’04
Use widening operator to force convergence.
![Page 14: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/14.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 14/66
Example: Forward Propagation
integer i, j where i = 2 ∧ j = 0
l0 : while true do
i := i + 4
or
(i, j) := (i + 2, j + 1)
Abstract Domain: Linear Inequalities over Reals
![Page 15: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/15.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 15/66
Step 1: Iteration
η0 : ( j = 0) ∧ (i = 2)
post(η0, τ1) : ( j = 0) ∧ (i = 6)
post(η0, τ2) : ( j = 1) ∧ (i = 4)
η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 6)
i
j(2, 0) (6, 0)
(4, 1)
τ2
τ1
b b
b
η0
![Page 16: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/16.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 16/66
Step 2: Iteration
η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 6)
post(η1, τ1) : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 6) ∧ (i + 2 j ≥ 10)
post(η1, τ2) : (1 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 10)
η2 : (0 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≥ 10)
i
j(2, 0) (6, 0)
(4, 1) (8, 1)
(6, 2)
η1
(10, 0)
b
τ2
τ1
![Page 17: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/17.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 17/66
Step 3: Widening Iteration
η1 : (0 ≤ j ≤ 1) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 6)
η2 : (0 ≤ j ≤ 2) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 10)
η3 : (0 ≤ j ≤ 3) ∧ (i − 2 j ≥ 2) ∧ (i + 2 j ≤ 14)
η′3= η2∇η3 : (0 ≤ j) ∧ (i − 2 j ≥ 2)
i
j(2, 0)
b
(6, 0)b
(4, 1)b
(6, 2)b
(10, 0)b
η′3
![Page 18: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/18.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 18/66
Iteration: Step 4
post(η′3, τ1) : (0 ≤ j) ∧ (i − 2 j ≥ 2)
post(η′3, τ2) : (0 ≤ j) ∧ (i − 2 j ≥ 2)
η4 = η′3∪ post(η′
3, {τ1, τ2}) : (0 ≤ j) ∧ (i − 2 j ≥ 2)
i
j(2, 0)
b
η′3
Note: Termination of iteration, η4 = η′3.
The final invariants are 0 ≤ j ∧ 2 ≤ i − 2 j
![Page 19: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/19.jpg)
Introduction
● Motivation
● Motivation
● Overflows
● Division by Zero
● Deadlock Freedom
● Transition Systems
● Transition Systems
● Traditional Approach
● Forward Propagation
● Problems
● Common Solution
● Example
● Example - step 1
● Example - step 2
● Example - step 3
● Example - step 4
● Constraint-Based
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 19/66
Constraint-based Analysis: Outline
■ Overview■ Computing linear invariants■ Computing linear ranking functions■ Computing polynomial invariants■ Related Work■ Conclusions
![Page 20: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/20.jpg)
Introduction
Constraint-based Analysis:
Overview
● Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 20/66
Constraint-based Analysis: Overview
![Page 21: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/21.jpg)
Introduction
Constraint-based Analysis:
Overview
● Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 21/66
Constraint-based Analysis: Overview
1. Fix the type and shape of the desired propertyExamples:■ linear invariant,■ linear ranking function■ polynomial invariant
2. Provide the conditions for the property to hold
3. Encode the conditions on the property as a system ofconstraints
4. Solve the constraints
5. Every solution is a property of the desired type and shape
![Page 22: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/22.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 22/66
Computing Linear Invariants
![Page 23: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/23.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 23/66
1. Fix type and shape
■ Type: Invariant
■ Shape:c1x1 + c2x2 + . . . + cnxn + d ≤ 0
where{x1, . . . , xn} are the program variables
and{c1, . . . , cn, d} are unknown coefficients
![Page 24: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/24.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 24/66
2. Property Conditions
The property
ψ : c1x1 + c2x2 + . . . + cnxn + d ≤ 0
is an invariant of transition systemΦ : 〈V : {x1, . . . , xn} ,Θ,T : {τ1, . . . , τk}〉 if
Θ |= ψ (initiation)ψ ∧ ρτ1
|= ψ′
(consecution)...
ψ ∧ ρτk|= ψ′
that is, if■ it is implied by the initial condition, and■ it is preserved by all transitions of the system
![Page 25: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/25.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 25/66
Property Conditions: Example
integer i, j where i = 2 ∧ j = 0
l0 : while true do
i := i + 4
or
(i, j) := (i + 2, j + 1)
Target invariant: ψ : c1i + c2 j + d ≤ 0
Conditions:
i = 2 ∧ j = 0︸ ︷︷ ︸
Θ
|= c1i + c2 j + d ≤ 0︸ ︷︷ ︸
ψ
c1i + c2 j + d ≤ 0 ∧ i′ = i + 4 ∧ j′ = j |= c1i′ + c2 j′ + d ≤ 0
c1i + c2 j + d ≤ 0︸ ︷︷ ︸
ψ
∧ i′ = i + 2 ∧ j′ = j + 1︸ ︷︷ ︸
ρτ1, ρτ2
|= c1i′ + c2 j′ + d ≤ 0︸ ︷︷ ︸
ψ′
![Page 26: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/26.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 26/66
Farkas’ Lemma
Let S be a system of linear inequalities over real-valuedvariables x1, . . . , xn,
S :
a11x1 + · · · + a1nxn + b1 ≤ 0...
......
am1x1 + · · · + amnxn + bm ≤ 0
and ψ a linear inequality,
ψ : c1x1 + · · · + cnxn + d ≤ 0
If S is satisfiable, S |= ψ iff there exist real multipliersλ1, . . . , λm ≥ 0 such that:
c1 =
m∑
i=1
λiai1 . . . cn =
m∑
i=1
λiain d ≤ (
m∑
i=1
λibi)
![Page 27: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/27.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 27/66
3. Encode the conditions: Initiation
Initiation: Θ |= c1x1 + · · · + cnxn + d ≤ 0 is encoded by
λθ,1 θ11x1 + · · · + θ1nxn + θ1,n+1 ≤ 0
Θ...
......
...
λθ,m θm1x1 + · · · + θmnxn + θm,n+1 ≤ 0
c1x1 + · · · + cnxn + d ≤ 0
which produces the constraints
SΘ : ∃(λθ,1 . . . λθ,m ≥ 0) .
c1 =∑m
i=1 λθ,iθi1 ∧
. . . ∧
cn =∑m
i=1 λθ,iθin ∧
d ≤ (∑m
i=1 λθ,iθi,n+1)
![Page 28: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/28.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 28/66
Example:Encoding Initiation
Initial Condition Θ : i = 2 ∧ j = 0
λ0 − 1 ≤ 0
λ1 i − 2 ≤ 0
λ2 −i 2 ≤ 0
λ3 j ≤ 0
λ4 − j ≤ 0
c1i + c2 j + d ≤ 0 ← ψ
Constraints:
(∃ λ0,...,4 ≥ 0) [λ1 − λ2 = c1 ∧ λ3 − λ4 = c2 ∧ −λ0 − 2λ1 + 2λ2 = d]
Eliminate λ0, . . . λ4:SΘ : 2c1 + d ≤ 0
![Page 29: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/29.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 29/66
3. Encode the Conditions: Consecution
Consecution:
c1x1 + · · · + cnxn + d ≤ 0 ∧ ρτi|= c1x′1 + · · · cnx′n + d ≤ 0
is encoded by
µτi c1x1 + · · · + cnxn + d ≤ 0
λτi ,1τi,11x1 + · · · + τi,1nxn + τ′
i,11x′
1+ . . . + τ′
i,1nx′n + τi,1,n+1 ≤ 0
ρτi...
.
.
.
.
.
.
.
.
.
λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1
x′1+ . . . + τ′
i,mnx′n + τi,m,n+1 ≤ 0
c1x′1+ . . . + cnx′n + d ≤ 0
which produces the constraints
Sτi: ∃(µτi
, λτi,1, . . . , λτi,m ≥ 0) .
µτi c1 +∑m
j=1λτi , j
τi, j1 = 0 ∧
. . . ∧
µτi cn +∑m
j=1λτi , j
τi, jn = 0 ∧
∑mj=1
λτi , jτ′
i, j1= c1 ∧
. . . ∧∑m
j=1λτi , j
τ′i, jn= cn ∧
µτi d +∑m
j=1λτi , j
τi, j,n+1 ≤ d
![Page 30: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/30.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 30/66
Example:Encoding Consecution for τ1
Transition relation ρτ1: i′ = i + 4 ∧ j′ = j
λ0 − 1 ≤ 0
µ1 c1i + c2 j + d ≤ 0 ← ψ
λ1 i − i′ + 4 = 0}
ρτ1λ2 j − j′ = 0
c1i′ + c2 j′ + d ≤ 0 ← ψ′
Constraints:
(∃λ0, µ1 ≥ 0)(∃λ1, λ2)
µ1c1 + λ1 = 0 ∧ µ2c2 + λ2 = 0 ∧
−λ1 = c1 ∧ −λ2 = c2 ∧ λ0 + µ1d + 4λ1 = d
Eliminate λ0, . . . , λ2, µ1:
Sτ1: (c1 ≤ 0) ∨ (c1 = 0 ∧ c2 = 0)
![Page 31: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/31.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 31/66
Example: Combined Constraint
The overall constraint is:
(2c1 + d ≤ 0) ← Initiation
∧
(c1 ≤ 0) ∨
(c1 = 0 ∧ c2 = 0)
← τ1 consecution
∧
(2c1 + c2 ≤ 0) ∨
(c1 = 0 ∧ c2 = 0)
← τ2 consecution
which simplifies to
2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0
![Page 32: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/32.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 32/66
4. Solve the constraints
Solve the constraint systems
SΘ ∧ Sτ1∧ . . . ∧ Sτk
for {c1, . . . , cn, d}
![Page 33: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/33.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 33/66
Example: Solving the Constraints
The basic solutions of
2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0
arec1 c2 d c1i + c2 j + d ≤ 0
0 0 −1 −1 ≤ 0
0 −1 0 − j ≤ 0
−1 2 2 −i + 2 j + 2 ≤ 0
which corresponds to the inductive invariants
j ≥ 0 and i − 2 j ≥ 2
![Page 34: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/34.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 34/66
5. Solutions
The propertyc1x1 + . . . + cnxn + d ≤ 0
is an invariant for all solutions of {c1, . . . , cn, d}.
■ Good news: The method is complete for linear systems:The solutions of {c1, . . . , cn} represent all linear inductiveinequalities of the given shape.
■ But: Requires individual inductiveness.
![Page 35: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/35.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 35/66
Summary
1. Fix a target property with unknown coefficients,
c1i + c2 j + d ≤ 0
2. Encode the property conditions3. Compute constraints on the unknown coefficients,
2c1 + d ≤ 0 ∧ c1 ≤ 0 ∧ 2c1 + c2 ≤ 0
4. Solve these constraints
〈c1, c2, d〉 = 〈0,−1, 0〉 〈c1, c2, d〉 = 〈−1, 2, 2〉
5. Generate the invariants
〈0,−1, 0〉 ↔ 0i − 1 j + 0 ≤ 0
〈−1, 2, 2〉 ↔ −1i + 2 j + 2 ≤ 0
Invariants: j ≥ 0 and i − 2 j ≥ 2
![Page 36: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/36.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● 2. Example
● Farkas’ Lemma
● 3.Encode Initiation
● 3. Example
● 3.Encode Consecution
● 3. Example
● 3. Example
● 4. Solve the constraints
● 4. Example
● 5. Solutions
● Summary
● Pros and Cons
Linear Ranking Functions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 36/66
Pros and Cons
Advantages:■ No widening necessary■ All inductive invariants are generated (or obtained as
consequences)■ System structure can be exploited to obtain linear
constraints: Petri nets
Disadvantages:■ The constraint systems Sτ1
, . . . , Sτkare nonlinear and may be
hard to solve. Tools: QEPCAD■ But: Sτ1
, . . . , Sτkare parametric linear
More efficient solution methods: factorization, polynomialroot findingTool: REDLOG [Weispfennig; Dolzmann,Sturm]
![Page 37: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/37.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 37/66
Computing Linear Ranking Functions
![Page 38: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/38.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 38/66
1. Fix type and shape
■ Type: Ranking function
■ Shape:c1x1 + c2x2 + . . . + cnxn + d
where{x1, . . . , xn} are the program variables
and{c1, . . . , cn, d} are unknown coefficients
![Page 39: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/39.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 39/66
2. Property Conditions
The functionδ : c1x1 + c2x2 + . . . + cnxn + d
is a ranking function of a loopΦ : 〈V : {x1, . . . , xn} ,Θ,T : {τ1, . . . , τk}〉 if
ρτ1|= δ ≥ 0
bounded...
ρτk|= δ ≥ 0
ρτ1|= δ − δ′ > 0
ranking...
ρτk|= δ − δ′ > 0
that is, if■ it is bounded from below, and■ it is decreased by each transition
![Page 40: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/40.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 40/66
3. Encode the conditions: Bounded
Bounded:ρτi|= δ ≥ 0
is encoded by
λτi ,1τi,11x1 + · · · + τi,1nxn + τ′
i,11x′
1+ . . . + τ′
i,1nx′n + τi,1,n+1 ≤ 0
ρτi...
.
.
.
.
.
.
.
.
.
λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1
x′1+ . . . + τ′
i,mnx′n + τi,m,n+1 ≤ 0
−c1x1 − . . . − cnxn + − d ≤ 0
which produces the constraints
Bτi: ∃(λτi,1, . . . , λτi,m ≥ 0) .
∑mj=1
λτi , jτi, j1 = −c1 ∧
. . . ∧∑m
j=1λτi , j
τi, jn = −cn ∧
∑mj=1
λτi , jτ′
i, j1= 0 ∧
. . . ∧∑m
j=1λτi , j
τ′i, jn
= 0 ∧
−∑m
j=1λτi , j
τi, j,n+1 ≤ d
![Page 41: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/41.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 41/66
3. Encode the conditions: Ranking
Ranking:ρτi|= δ − δ′ > 0
is encoded by
λτi ,1τi,11x1 + · · · + τi,1nxn + τ′
i,11x′
1+ . . . + τ′
i,1nx′n + τi,1,n+1 ≤ 0
ρτi...
.
.
.
.
.
.
.
.
.
λτi ,m τi,m1x1 + · · · + τi,mnxn + τ′i,m1
x′1+ . . . + τ′
i,mnx′n + τi,m,n+1 ≤ 0
−c1x1 − . . . − cnxn + c1x′1+ . . . + cnx′n ǫ ≤ 0
which produces the constraints
Rτi: ∃(λτi,1, . . . , λτi,m ≥ 0) .
∑mj=1
λτi , jτi, j1 = −c1 ∧
. . . ∧∑m
j=1λτi , j
τi, jn = −cn ∧
∑mj=1
λτi , jτ′
i, j1= c1 ∧
. . . ∧∑m
j=1λτi , j
τ′i, jn
= cn ∧
−∑m
j=1λτi , j
τi, j,n+1 ≤ −ǫ
![Page 42: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/42.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 42/66
4. Solve the constraints
Solve the constraint systems
Bτ1∧ . . . ∧ Bτk
∧ Rτ1∧ . . . ∧ Rτk
for {c1, . . . , cn, d}
![Page 43: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/43.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
● 1.Fix type and shape
● 2. Property Conditions
● 3.Encode Bounded
● 3.Encode Ranking
● 4. Solve the constraints
● 5. Solutions
Nonlinear Invariants
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 43/66
5. Solutions
The functionc1x1 + c2x2 + . . . + cnxn + d
is a ranking function for all solutions of {c1, . . . , cn, d}.
■ Good news: The method is complete for linear systems:The solutions represent all linear ranking functions of thegiven (uninitialized) loop.
■ Good news:Constraints are all linear: can be solvedefficiently
■ Bad news: Most ranking functions require invariants to proveboundedness
![Page 44: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/44.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 44/66
Computing Nonlinear Invariants
![Page 45: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/45.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 45/66
1. Fix type and shape
■ Type: Invariant
■ Shape:
c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3 = 0
where{x, y, z} are the program variables
and{c1, . . . , c10} are unknown coefficients
![Page 46: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/46.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 46/66
2. Property Conditions
The property p = 0 with
p :c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3
is an invariant of transition systemΦ : 〈V : {x1, . . . , x10} ,Θ,T : {τ1, . . . , τk}〉 if
Θ |= p = 0 (initiation)p = 0 ∧ ρτ1
|= p′ = 0
(consecution)...
p = 0 ∧ ρτk|= p′ = 0
that is, if■ it is implied by the initial condition, and■ it is preserved by all transitions of the system
![Page 47: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/47.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 47/66
Linear Equalities vs Nonlinear Equalities
Computing Consequences for Polynomial Equalities
Linear Equalities Polynomial Equalitiesλ1 e1 = 0...
...
λm em = 0
e = 0
g1 p1 = 0...
...
gm pm = 0
p = 0
λ1, . . . , λm, reals g1, . . . , gm, arbitrary polynomialse = λ1e1 + · · · + λmem p = g1p1 + · · · + gmpm
e ∈ SPACE(e1, . . . , em) p ∈ IDEAL(p1, . . . , pm)
How do we test if p ∈ IDEAL(p1, . . . , pm) ?
![Page 48: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/48.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 48/66
Ideals
Ideal: The ideal generated by P is the set of all polynomialsof the formIdeal(P) = {g1p1 + . . . + gmpm | g1, . . . , gm polynomials}
Example: Let P = {x2 − y, y − z, x + z}.Ideal(P) =
g1(x2 − y) + g2(y − z) + g3(x + z) |
g1, g2, g3 are polynomials over x, y, z
−zx − z = 1︸︷︷︸
g1
· (x2 − y) + 1︸︷︷︸
g2
· (y − z) + −x︸︷︷︸
g3
(x + z)
Therefore, −zx − z ∈ Ideal(P).
![Page 49: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/49.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 49/66
Testing Ideal Membership
Summary: To test if
p1 = 0 ∧ p2 = 0 ∧ · · · ∧ pm = 0 |= p = 0
we instead test if
p ∈ Ideal({p1, . . . , pm})
i.e.,p = g1p1 + · · · + gmpm
for some g1, . . . gm.
How do we test if p ∈ Ideal(P)?
![Page 50: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/50.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 50/66
Gröbner Basis Theorem
Given any set of polynomials P, compute special set ofpolynomials G, such that
■ Ideal(G) = Ideal(P),
■G−→ is confluent and terminating.
G is called the Gröbner basis of P.For any polynomial p, unique normal form
pG−→ · · ·
G−→ NFG(p)
Theorem: p ∈ Ideal(P) iff NFG(p) = 0.
![Page 51: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/51.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 51/66
Testing Ideal Membership
How do we test if p ∈ IDEAL(p1, . . . , pm) ?
1. Compute Gröbner basis G for {p1, . . . , pm}.Use Buchberger’s Algorithm + Refinements
2. Compute normal form for p, denoted NF(p),
3. p ∈ IDEAL(p1, . . . , pm) iff NFG(p) = 0.
![Page 52: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/52.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 52/66
Testing Ideal Membership
Example: Let P = {p1 : x2 − y, p2 : y + z, p3 : x − z}.
Can we find out if x2 − z ∈ Ideal(P) usingP−→?
No!
Gröbner basis of P is
G = {z2 − z, y − z, x + z}
Can we find out usingG−→?
Yes!
Any sequence of reductions from x2 − z has normal form 0.
![Page 53: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/53.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 53/66
Parametric Membership Problem
Let P = {p1 : x2 − y, p2 : y + z, p3 : x − z}.Problem: For what values of c1, c2, . . . , c5 is the polynomial
p : c1x2+ x2y2
+ c3z2+ c4z + c5 ∈ Ideal(P)?
Solution:1. Compute the Gröbner basis of P,
G = {z2 − z, y − z, x + z}
2. Compute Normal Form of P,
(c1 + c2 + c3 + c4)z + c5
3. Set every coefficient to be zero,
(c1 + c2 + c3 + c4 = 0) ∧ (c5 = 0)
![Page 54: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/54.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 54/66
Parametric Membership Problem
Note: For solutions to c1, . . . , c5 that satisfy
(c1 + c2 + c3 + c4 = 0) ∧ (c5 = 0)
it follows that
p : c1x2+ x2y2
+ c3z2+ c4z + c5 ∈ Ideal(P)
![Page 55: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/55.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 55/66
3. Encode the conditions: Initiation
The conditionΘ |= p = 0
is encoded by reducing p wrt to the Gröbner basis G of ((Θ)):
pG−→ NF(p)
and settingNF(p) ≡ 0
which produces a set SΘ of linear constraints on {c1, . . . c10}.
![Page 56: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/56.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 56/66
3. Encode the conditions: Consecution
The conditionp = 0 ∧ ρτi
|= p′ = 0
is not practical to encode. Instead we encode one of
ρτi|= p′ = 0
ρτi|= p′ − p = 0
which result in a set Sτiof linear constraints
∃λ ∈ R ρτi|= p′ − λp = 0
∃q ∈ R[x1, . . . , xn] ρτi|= p′ − qp = 0
which result in a set of nonlinear constraints.
![Page 57: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/57.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 57/66
4. Solve the constraints
SolveSΘ ∧ Sτ1
∧ . . . ∧ Sτk
for {c1, . . . , c10}
![Page 58: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/58.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 58/66
5. Solutions
The property
c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3 = 0
is an invariant for all solutions of {c1, . . . , c10}
■ Good news: Constraints are all linear: can be solvedefficiently
■ Bad news: Invariants are missed because of strengtheningthe conditions
![Page 59: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/59.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 59/66
Example: Nonlinear Invariant Generation
integer i, j, k, s where (s = 0 ∧ j = k ∧ j ≥ 0)
l0 : while (k ≥ 0) do
l1 : (s, k) := (s + i, k − 1)
l2 :
Target Invariant: p = c1s + c2ik + c3i j + c4 jk + c5
Question: For what values of c1, . . . , c5, is p = 0 inductive at l0?
![Page 60: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/60.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
● 1. Fix type and shape
● 2. Property Conditions
● Ideals
● Ideals
● Testing Ideal Membership
● Gröbner Basis Theorem
● Testing Ideal Membership
● Testing Ideal Membership
● Parametric Membership
● Parametric Membership
● 3.Encode Initiation
● 3.Encode Consecution
● 4. Solve the constraints
● 5. Solutions
● Example
● Example
Summary
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 60/66
Example: Nonlinear Invariant Generation
1. Fix a template (usually a “generic polynomial” of degree m ),
c1s + c2ik + c3i j + c4 jk + c5
2. Generate constraints by encoding initiation andconsecution,
c2 + c3 = 0 ∧ c4 = c5 = 0 ∧ c1 − c2 = 0
3. Solve the constraints,
c3 = 1, c1 = c2 = −1, c4 = c5 = 0
4. Generate the invariant
−s − ik + i j = 0
Invariant: s = i( j − k) at l0.
![Page 61: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/61.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 61/66
Summary
![Page 62: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/62.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 62/66
Advantages of Constraint-based Approach
■ Controlling the complexity of the constraints
◆ Strengthen the conditions on the property
Θ |= ψ
ψ ∧ ρτ |= ψ′=⇒
Θ |= ψ
ρτ |= ψ′
parametric linear constraints linear constraints
◆ Constrain the property
c1x3 + c2x2y + c3x2z + c4xy2 + c5xyz + c6xz2+
c7y3 + c8y2z + c9yz2 + c10z3
⇓
c1x3 + c2xy2 + c3xz2 + c4y2z
![Page 63: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/63.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 63/66
Advantages of Constraint-based Approach
■ Not limited to invariants◆ termination◆ temporal properties (LTL safety)
■ Applicable to any domain that allows computation ofconsequences
■ Can exploit system structure to simplify the constraintsystem◆ Petri nets
■ Can take advantage of new results in constraint solvingcommunity
![Page 64: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/64.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 64/66
Papers
■ Termination analysis (TACAS’01, CAV’02, CAV’05)
■ Linear invariant generation (CAV’03, SAS’04, VMCAI’05,VMCAI’06)
■ Nonlinear invariant generation (POPL’04)
■ Nonlinear invariant generation for hybrid systems (HSCC’04)
■ Differential equations (HSCC’06)
Sriram Sankaranarayanan, Mathematical Analysis ofPrograms, PhD Thesis, Stanford, 2005.
![Page 65: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/65.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 65/66
Related Work
■ Set-constraint based analysis◆ - [Heintze’93]◆ - [Aiken’99]
■ Termination analysis◆ - [Podelski,Rybalchenko,VMCAI’04,LICS’04]◆ - [Cousot, VMCAI’05]
■ Nonlinear invariants◆ - [Bensalem et al, SAS’00]◆ - [Müller-Olm,Seidl,SAS’02,POPL’04]◆ - [Tiwari et al, TACAS’01,HSCC’03]◆ - [Rodriguez-Carbonell,Kapur,ISSAC’04]◆ - [Cousot, VMCAI’05]
![Page 66: Constraint-Based Static Analysis of Programs](https://reader030.vdocuments.mx/reader030/viewer/2022012503/617da7c999b08d6fd67a22aa/html5/thumbnails/66.jpg)
Introduction
Constraint-based Analysis:
Overview
Computing Linear Invariants
Linear Ranking Functions
Nonlinear Invariants
Summary
● Advantages
● Advantages
● Papers
● Related Work● Current Topics of
Investigation
Henny Sipma, November 16, 2006 Washington University at St Louis - p. 66/66
Current Topics of Investigation
■ Classification of systems with simpler constraint systems
■ Extension to game properties (ATL*)
■ Extension to other domains, in particular nonlinearinequalities
■ More efficient constraint solving strategies